Recent research shows that organizations typically take upwards of 200 days (dwell time) to realize that they have been victims of an advanced attack. High-profile data breaches in the news represent only a fraction of the intrusion activity carried out globally. Knowing whether your organization has been breached and identifying ways to reduce risk is crucial to preventing your organization from becoming the next major data breach headline.
77%
of 2,800 IT professionals in a survey said their organization does not have a formal cybersecurity incident response plan.
191 Days
The average time needed to fully contain a data breach.
66 Days
The average length of time it takes for an organization to identify a data breach.
Threat hunting enables the reduction of Mean Time to Detect and Mean Time to Response. This reduction can happen if an organisation works continuously to detect attacker activity – this can be done by implementing an Active Threat Hunting Program.
What is Threat Hunting?
It is the process of proactively and iteratively searching through networks, endpoints, and datasets for evidence of a breach.
Hunters hunt for
Indicators of Compromise (IOCs)
Indicators of Attack (IOAs)
Network-Based Artifacts
Host-Based Artifacts
But I have a SOC, why do I need a Threat Hunting Program?
SOC Monitoring, works on a reactive approach of use-cases. Different use-cases are made based on pre-defined criteria like multiple login failures, and a SOC Analyst would react to that triggered use-case.
Threat Hunting works based on hypotheses, where a Threat Hunter understands your existing environment and builds Hunt-Cases. These hunt-cases would be mapped to different attacker and attacker group behavior via MITRE mappings and using these cases, the Hunter would continuously search your environment for signs of a compromise.
Threat Hunting doesn’t replace the existing SOC and IR teams, but is built to complement them. It enables your security team to quickly respond to unknown threats before they can damage your organisation.
How can we help?
Our threat hunting service incorporates automated and manual analyses. We have an expert team of hunters who have experience in hunting via different SIEMs. They are our purple team and bring with them a wealth of knowledge from both Blue and Red Teams. They have worked on a wide variety of data sources from network, operating systems, identity management systems, endpoints and other security technologies. This is further enhanced by Network Intelligence’s experience in responding to breaches that lead to a greater depth of understanding attack Tactics, Techniques, and Procedures (TTPs).
